---
# Code generated by 'make generate-documentation'. DO NOT EDIT.
title: Gadget seccomp
---

The seccomp gadget traces system calls for each container in order to generate
seccomp policies.

The seccomp policies can be generated in two ways:
1. on demand with the gadget.kinvolk.io/operation=generate annotation. In this
   case, the Trace.Spec.Filter should specify the namespace and pod name to the
   exclusion of other fields because there can be only one SeccompProfile
   written in the Trace.Status.Output or in the SeccompProfile resource named
   by Trace.Spec.Output. The on-demand generation supports the outputMode
   Status and ExternalResource.
2. automatically when containers matching the Trace.Spec.Filter terminate. In
   this case, all filters are supported. The at-termination generation supports
   the outputMode ExternalResource and Stream.

The seccomp policies can be written in the Status field of the Trace custom
resource, or in SeccompProfiles custom resources managed by the [Kubernetes
Security Profiles
Operator](https://github.com/kubernetes-sigs/security-profiles-operator).

SeccompProfiles will have the following annotations:

* seccomp.gadget.kinvolk.io/trace: the namespaced name of the Trace custom
  resource that generated this SeccompProfile
* seccomp.gadget.kinvolk.io/node: the node where this SeccompProfile was
  generated
* seccomp.gadget.kinvolk.io/pod: the pod namespaced name of the pod that was
  traced
* seccomp.gadget.kinvolk.io/container: the container name in the pod that was
  traced
* seccomp.gadget.kinvolk.io/ownerReference-APIVersion: the ownerReference&#39;s
  APIVersion of the pod that was traced
* seccomp.gadget.kinvolk.io/ownerReference-Kind: the ownerReference&#39;s Kind of the
  pod that was traced
* seccomp.gadget.kinvolk.io/ownerReference-Name: the ownerReference&#39;s Name of the
  pod that was traced
* seccomp.gadget.kinvolk.io/ownerReference-UID: the ownerReference&#39;s UID of the
  pod that was traced

SeccompProfiles will have the same labels as the Trace custom resource that
generated them. They don&#39;t have meaning for the seccomp gadget. They are
merely copied for convenience.


### Example CR

```yaml
apiVersion: gadget.kinvolk.io/v1alpha1
kind: Trace
metadata:
  name: seccomp
  namespace: gadget
  labels:
    team: devops
spec:
  node: minikube
  gadget: seccomp

  # # Example of filter for manual generation with the
  # # gadget.kinvolk.io/operation=generate annotation. This needs a namespace and
  # # podname at the exclusion of other fields.
  # filter:
  #   namespace: default
  #   podname: mypod

  # Another example of filter for automatic generation when containers
  # terminate. All fields are supported.
  filter:
    namespace: default

  runMode: Manual
  outputMode: ExternalResource
  output: gadget/myseccomp
```

### Operations


#### start

Start recording syscalls

```bash
$ kubectl annotate -n gadget trace/seccomp \
    gadget.kinvolk.io/operation=start
```
#### generate

Generate a seccomp profile for the pod specified in Trace.Spec.Filter. The
namespace and pod name should be specified at the exclusion of other fields.

```bash
$ kubectl annotate -n gadget trace/seccomp \
    gadget.kinvolk.io/operation=generate
```
#### stop

Stop recording syscalls

```bash
$ kubectl annotate -n gadget trace/seccomp \
    gadget.kinvolk.io/operation=stop
```

### Output Modes

* ExternalResource
* Status
* Stream
